European Parliament comes under fire from its own privacy regulator over election data concerns

Ooops! When you claim the moral high ground, make sure your house is in order...

After spending years claiming the moral high ground around privacy, the European Parliament stands accused by its own data protection watchdog of passing on personal data to a US company that was dubbed Donald Trump’s ‘secret weapon’ in the 2016 Presidential Election.

According to the outcome of an investigation by the European Data Protection Supervisor (EDPS), the Parliament used US software company NationBuilder to process political data concerning more than 300,000 people during the European Union (EU) elections back in May.

The EDPS says that the Parliament used a website, thistimeimvoting.eu, to collect data from more than 329,000 people interested in the election campaign activities. That data was then processed by NationBuilder as part of a €135,000 contract.

As a result of its investigation, the Supervisor issued its first ever reprimand aimed at an EU institution, citing contravention by the Parliament of Article 29 of Regulation (EU) 2018/1725, involving the selection and approval of sub-processors used by NationBuilder. A second reprimand followed when the Parliament failed to publish a compliant Privacy Policy for the thistimeimvoting website within the deadline set by the EDPS.

In 2016, the Trump campaign used NationBuilder’s tech to coordinate volunteer efforts. The company’s services were also used by the VoteLeave team in the UK’s Brexit referendum among others.

Basic use?

In its defense, the Parliament says it only used NationBuilder’s services to run a pilot project around an information campaign. This, it says in a statement, only used “basic functionalities”, and "never used the features that allows to cross date with external third parties”. It insists:

No data was ever shared with other systems and people can only sign up if they give their explicit consent.

It also states that data was not linked to social media profiles:

No data from other sources was purchased or uploaded.

For its part, NationBuilder issued a statement in support of its client:

As the European Parliament has explained, they used NationBuilder’s software for customer relationship management to motivate democratic participation among EU citizens in the 2019 European Parliament elections.

It argues that its software is built around “advanced privacy and consent tools” to comply with data protection legislation:

The sanctity of customer data is core to our company — we do not share or sell our customers’ data, and every NationBuilder customer has a self-contained database.

We agree with the EDPS that strong data protection rules are essential for democracy, especially in the digital age. NationBuilder is — and always has been — committed to the highest standards of privacy and data protection.

However, Wojciech Wiewiórowski, who earlier this week was named as the next European Data Protection Supervisor, admitted to the MEPs on the Civil Liberties Committee that Parliament had not been able to control the processing of the data sufficiently. He added that his office had ordered the contract to be cancelled and any data gathered to be deleted.

In a statement issued on Thursday, Wiewiórowski said the EDPS investigation is ongoing:

The EU parliamentary elections came in the wake of a series of electoral controversies, both within the EU Member States and abroad, which centred on the the threat posed by online manipulation. Strong data protection rules are essential for democracy, especially in the digital age. They help to foster trust in our institutions and the democratic process, through promoting the responsible use of personal data and respect for individual rights. With this in mind, starting in February 2019, the EDPS acted proactively and decisively in the interest of all individuals in the EU to ensure that the European Parliament upholds the highest of standards when collecting and using personal data.

The Supervisor says:

The EDPS will continue to check the Parliament’s data protection processes, now that the European Parliament has finished informing individuals of their revised intention to retain personal data collected by the thistimeimvoting website until 2024. The outcome of these checks could lead to additional findings.

My take

Physician, heal thyself. There will be many a raised eyebrow in certain quarters of the US social media sector about this public admonishment of the European Parliament - and not without reason. If you set yourselves up on a data privacy high horse, you really ought to make sure the saddle is on tightly or you might take a nasty tumble.

This is an ongoing inquiry by the EDPS and as such there are unanswered questions left hanging for now. But the Supervisor clearly has the bit between its teeth, warning:

The EDPS expects the EU institutions, offices, bodies and agencies to lead by example in ensuring that the interests of all those living in the EU are adequately protected when their personal data is processed.

In an age when the impact of digital technologies and platforms on the democratic process is under the spotlight, it’s to be hoped that the EDPS puts that statement into action.